[dns-operations] DNSViz 0.6.7 (FreeBSD 11.1-RELEASE-p10) reports all but first NSEC3 RRSIG as "BOGUS"

Casey Deccio casey at deccio.net
Mon Aug 6 19:25:47 UTC 2018



> On Aug 6, 2018, at 11:54 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> Thanks.  I installed the devel snapshot of graphviz, and the problem is gone,
> much appreciated!  I can now generate matching results independently, see
> below...

Just one note on usage.  If there are errors present, but they don't ultimately don't cause definite validation failures (i.e., there is at least successful validation path), then DNSViz will categorize it as "VALID"---for example, if half of a set of authoritative servers are serving an expired RRSIG, but the other half are serving a valid RRSIG.  If you're *only* searching for status="SECURE" (not saying you are, but it wasn't clear), then you will miss these partial misconfiguration cases.  So, you can do something like to filter out any log messages that aren't warning or higher:

dnsviz probe -a . -A _25._tcp.mail0.transip.nl <http://tcp.mail0.transip.nl/> > /tmp/probe.json 
dnsviz grok -c -l warning \
	-t /usr/local/etc/unbound/root.key \
       < /tmp/probe.json

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180806/4155fc69/attachment.html>


More information about the dns-operations mailing list